Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-8772

Adding support for STS authentication for S3 for system components

XMLWordPrintable

    • RHOAM Sprint 32, API CCS Sprint 34 (3Scale), API CCS Sprint 35 (3Scale), API CCS Sprint 36 (3Scale), API CCS Sprint 36 (3Scale), API CCS Sprint 37 (3Scale), API CCS Sprint 38 (3Scale), API CCS Sprint 39 (3Scale), API CCS Sprint 40 (3Scale), API CCS Sprint 42 (3Scale), API CCS Sprint 43 (3Scale), API CCS Sprint 44 (3Scale) 2

      Currently, when the system storage type is set to s3, the operator reads a secret (referenced in the APIManager CR) and passes all the info via env vars:

      FILE_UPLOAD_STORAGE = s3   # notify system that s3 storage is wanted
      "AWS_ACCESS_KEY_ID"            
      "AWS_SECRET_ACCESS_KEY"        
      "AWS_BUCKET"                   
      "AWS_REGION"                   
      "AWS_PROTOCOL"                 
      "AWS_HOSTNAME"                 
      "AWS_PATH_STYLE"
      

      This is all the AWS CLI needs to access the AWS S3 endpoints with long-lived credentials.

       

      With the new support for STS authentication (Secure Token Service for  short-term, limited-privilege security credentials),  the secret generated by the Cloud Credential tooling , looks like this:

      apiVersion: v1
      stringData:
        credentials: |-
          [default]
          role_arn = arn:aws:iam::12345:role/dev-eng-ocp4-sts-3scale-sts-rael-system-aws-creds
          web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
      kind: Secret
      metadata:
        name: 3scale-dev-eng-system-assets-cloud-credentials
        namespace: 3scale-sts-rael
      type: Opaque
      

      ApiManager CR - STS flag will be added

      STS boolean flag will be added to ApiManager CR to recognize if it's STS cluster or IAM
      Example for STS cluster:

      apiVersion: apps.3scale.net/v1alpha1
      kind: APIManager
      metadata: 
        name: apimanager-sample
        namespace: 3scale-test
      spec: 
        system: 
          fileStorage: 
            simpleStorageService: 
              configurationSecretRef: 
                name: s3-credentials
              sts: true
        wildcardDomain:<wildcardDomain>
      

      Secret types and keys

      The proposal is to support both IAM and STS credential secrets in the APIManager CR at `spec.system.fileStorage.simpleStorageService.configurationSecretRef`

      apiVersion: apps.3scale.net/v1alpha1
      kind: APIManager
      metadata:
        name: apimanager-s3-sample
      spec:
        wildcardDomain: <desired-domain>
        system:
          fileStorage:
            simpleStorageService:
              configurationSecretRef:
                name: <configuration-secret-name>   # Support for both IAM and STS secret format

      The IAM AWS secret would have the following format. Same as we have until now. No changes.

      apiVersion: v1
      kind: Secret
      metadata:
        name: aws-auth
      stringData:
        AWS_ACCESS_KEY_ID: 1234567
        AWS_SECRET_ACCESS_KEY: 987654321
        AWS_BUCKET: mybucket.example.com
        AWS_REGION: eu-west-1
      type: Opaque

      The STS AWS secret would have the following format. Not showing all the fields. All the available fields, required or optional, will be documented.

      kind: Secret
      apiVersion: v1
      metadata:
        name: s3-credentials
        namespace: redhat-rhoam-3scale
      data:
        AWS_ROLE_ARN: <role>
        AWS_WEB_IDENTITY_TOKEN_FILE: <token_path>
        AWS_BUCKET: <bucket_name>
        AWS_REGION: <region>
      type: Opaque 

      Summary for keys for each secret "type":

      Secret key IAM STS Required
      ​AWS_ACCESS_KEY_ID
      AWS_SECRET_ACCESS_KEY
      AWS_ROLE_ARN
      AWS_WEB_IDENTITY_TOKEN_FILE
      AWS_BUCKET
      AWS_REGION
      AWS_HOSTNAME
      AWS_PROTOCOL
      AWS_PATH_STYLE

      SystemApp Environment Variables

      The 3scale operator will pass the following env vars depending on the type of the s3 secret

      Secret key IAM STS
      FILE_UPLOAD_STORAGE
      ​AWS_ACCESS_KEY_ID
      AWS_SECRET_ACCESS_KEY
      AWS_ROLE_ARN
      AWS_WEB_IDENTITY_TOKEN_FILE
      AWS_BUCKET
      AWS_REGION
      AWS_HOSTNAME
      AWS_PROTOCOL
      AWS_PATH_STYLE

      Dev notes:

      • The operator will add a projected volume to request the token.
      kind: Pod
      apiVersion: v1
      metadata:
        name: aws-cli
        namespace: 3scale-sts-rael
      spec:
        containers:
           - name: bla
             volumeMounts:
                        - name: bound-sa-token
                          readOnly: true
                          mountPath: /var/run/secrets/openshift/serviceaccount    
        volumes:
          - name: bound-sa-token
            projected:
              defaultMode: 420
              sources:
                 - serviceAccountToken:
                         audience: openshift
                          expirationSeconds: 3600
                          path: token
      
      

      Maybe, instead of `/var/run/secrets/openshift/serviceaccount`, to avoid clashes, we can use

       volumeMounts:
          - mountPath: "/var/run/secrets/eks.amazonaws.com/serviceaccount/"
            name: aws-token
      
      volumes:
        - name: aws-token
          projected:
            sources:
            - serviceAccountToken:
                audience: "sts.amazonaws.com"
                expirationSeconds: 86400
                path: token
      

       

      The doc should have reference to STS configured cluster pre-requisite:

       
      TESTS
      Please see file attached - validation_help.txt
       

              Unassigned Unassigned
              eguzki Eguzki Astiz Lezaun
              Darren Fennessy Darren Fennessy
              Miroslav Jaroš Miroslav Jaroš (Inactive)
              Valery Mogilevsky Valery Mogilevsky
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 3 days
                  3d
                  Logged:
                  Time Spent - Not Specified
                  Not Specified